New cases demonstrate that attacks on utilities are on the increase and are affecting both private and public operators. The German government’s response was the IT Security Act. After around one and a half years in force, its scope has now been substantially extended.
Recently, worrying news from the energy sector has been attracting attention. First, it was reported that the stricken Chernobyl atomic power plant had been subjected to a ransomware attack. The NotPetya variant was the second largest wave of attacks after WannaCry. In both cases, Ukraine was particularly badly affected and was also identified as the presumed target. This explains why the cyber criminals had Chernobyl in their sights. As the German weekly newspaper "Die Zeit" reported, several infected computers had to be switched off in the Chernobyl atomic power plant, the site of a major nuclear accident in 1986. The attack did not cause any serious problems but it is remarkable that the malware, which targeted Windows PCs, managed to penetrate such sensitive areas.
These attacks bring back memories of the major blackout in Ukraine in December 2015. At that time, more than 200,000 people were without electricity for hours, in some cases for days. Because electricity is often used for heating in Ukraine the situation was extremely serious.
But it’s not just Ukrainian power plants that are being attacked. According to a report in the New York Times, hackers are currently focusing on penetrating companies in the US energy sector. The FBI and the Department of Homeland Security have revealed that one of the victims was the Wolf Creek Nuclear Operating Corporation, which operates among others a nuclear power plant near Burlington in Kansas.
Public infrastructure increasingly at risk
But it is not just power plants that are affected by cyberattacks. Hydropower stations and hospitals have also been targeted. Increasingly, public infrastructure is in the line of fire, although it is generally not clear whether the perpetrators are criminal blackmailers or political activists.
In Germany, the response to this development was the IT Security Act that came into force about a year ago. It obliges the operators of critical infrastructures to implement security measures and to report security breaches. In the KRITIS Regulation (BSI-KritisV), the Federal Office for Information Security (BSI) has defined which industrial and business sectors count as critical infrastructure. Until now, only the sectors energy, water, food and information technology have been deemed to be critical infrastructure (BSI-KritisV Korb I).
KRITIS scope extended
At the end of June, the scope of the act was extended to the sectors health, finance, insurance, transport and traffic (BSI-KritisV Korb II). As they are also considered relevant for the provision of services to the public, companies and institutions in this sector are also obliged to take stricter security measures to prevent serious shutdowns and to report any security incidents to the BSI. By the end of the year, operators in these sectors have to register with the BSI and designate a responsible entity in their company.
However, not only do they all have to provide greater protection for their IT infrastructure, they also have to have the measures they implement audited every two years. At the same time, this will determine whether the measures taken comply with the state-of-the-art. In this regard, the BSI provides the following explanation on its website: "Operators of critical infrastructure are obliged to appropriately protect the IT necessary for the delivery of their important services according to the latest state-of-the-art".
But this is currently the contentious issue: What is the state-of-the-art and which criteria apply to it? Critics call for the standard to be aligned to the market, i.e. to security products available on the market. But the range of products is broad and is constantly changing. This is why the BSI is proposing a different approach: "What the state-of-the-art is at a specific time can be determined, for instance, from existing national or international standards and norms e.g. DIN, ISO, DKE or ISO/IEC, or on the basis of models that have proven effective in practice in the respective sector," says the agency.
Critics still see a need for further differentiation. For example, different measures should be deemed appropriate for smaller businesses than for large companies. If the legislation does not manage to create acceptable rules for all those affected, it will probably be left to the courts to achieve clarification.
Before this happens, those who will be affected by this legislation can obtain an overview of the latest state-of-the-art at it-sa this autumn.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.